Tornado 3.2.1 新特性¶

May 5, 2014¶

Security fixes¶

  • The signed-value format used by RequestHandler.set_secure_cookieand RequestHandler.get_secure_cookie has changed to be more secure.This is a disruptive change. The secure_cookie functionstake new version parameters to support transitions between cookieformats.
  • The new cookie format fixes a vulnerability that may be present inapplications that use multiple cookies where the name of one cookieis a prefix of the name of another.
  • To minimize disruption, cookies in the older format will be acceptedby default until they expire. Applications that may be vulnerablecan reject all cookies in the older format by passing min_version=2to RequestHandler.get_secure_cookie.
  • Thanks to Joost Pol of Certified Securefor reporting this issue.

Backwards-compatibility notes¶

  • Signed cookies issued by RequestHandler.set_secure_cookie in Tornado3.2.1 cannot be read by older releases. If you need to run 3.2.1in parallel with older releases, you can pass version=1 toRequestHandler.set_secure_cookie to issue cookies that arebackwards-compatible (but have a known weakness, so this optionshould only be used for a transitional period).

Other changes¶

  • The C extension used to speed up the websocket module now compilescorrectly on Windows with MSVC and 64-bit mode. The fallback tothe pure-Python alternative now works correctly on Mac OS X machineswith no C compiler installed.

原文:

https://tornado-zh-cn.readthedocs.io/zh_CN/latest/releases/v3.2.1.html